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PRELIMINARY AMENDMENT 



Honorable Commissioner of Patents 

and Trademarks 
Washington, D.C. 20231 

Sir: 

Please amend the subject application, filed concurrently herewith, as 
indicated below: 



IN THE TITLE: 



Delete the title in its entirety and substitute the following new title: 
--METHOD FOR VERIFYING A SIGNATURE OR AN AUTHENTICATION—. 
IN THE SPECIFICATION : 

After the title and before the first paragraph on page 1 , insert the following 
heading at the left-hand margin: , 
- FIELD OF THE INVENTION -: 
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Page 1 , line 7, insert the following heading at the left-hand margin: 
- BACKGROUND OF THE INVENTION -- ; 

Page 1, at line 16, before the paragraph beginning "The majority,...", insert 
the following heading at the left hand margin: 
- DESCRIPTION OF RELATED ART - ; 

Page 2, at line 5, and before the paragraph beginning "The object of the ..." 
insert the following paragraph at the left-hand margin: 
- SUMMARY OF THE INVENTION -: 

Page 3, at line 1 and before the first paragraph, insert the following heading at 
the left hand margin: 

- BRIEF DESCRIPTION OF THE DRAWINGS- : 

Page 3, at line 13 and before the paragraph beginning "A more detailed...", 
insert the following heading at the left hand margin: 
- DESCRIPTION OF THE PREFERRED EMBODIMENT(S) -: 

Page 6, line 29, after "zero", insert -subtraction by m~", and before 
"substraction", delete "a" and substitute -one-; 

Page 8, after line 19, insert the following new paragraph: 

-While this invention has been described in conjunction with specific 
embodiments thereof, it is evident that many alternatives, modifications and 
variations will be apparent to those skilled in the art. Accordingly, the preferred 
embodiments of the invention as set forth herein, are intended to be illustrative, not 
limiting. Various changes may be made without departing from the true spirit and full 
scope of the invention as set forth herein and defined in the claims. — 
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IN THE CLAIMS : 

Please cancel claims 1 - 13 in their entirety and without prejudice and 
substitute the following new claims: 
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1 --14. A method for verifying a signature, or respectively an 

2 authentication, utilizing an asymmetric private-key and public-key cryptographic 

3 calculation process between a "prove? entity and a "verifier entity, wherein the 

4 prover entity performs first cryptographic calculations with said private key to 

5 produce a signature calculation, or respectively an authentication value 

6 constituting a response value, and the verifier entity, based on said response 

7 value, performs second cryptographic calculations with said public key to 

8 perform said signature verification, or respectively said authentication, the first 

9 and second cryptographic calculations serving to implement the calculation of 

10 modulo-n or large-number multiplications, characterized in that for a 

11 cryptographic calculation process using a public key comprising a public 

12 exponent e and a public modulo n, and a private key comprising a private 

13 exponent, it comprises the following steps" 

14 - calculating at the level of said prover entity at least one prevalidation 

15 value; 

16 - transmitting from the prover entity to the verifier entity at least said one 

17 prevalidation value, and utilizing said prevalidation value by the verifier entity to 

18 perform at least one modular reduction without any division operation for said 

19 modular reduction. 



1 15. A method according to claim 14, characterized in that for a public 

2 exponent e=2, and wherein the cryptographic calculation process is based on a 

3 RABIN algorithm, said at least one prevalidation value comprises a unique value, 

4 which is the quotient Q of the square of said respective value of a signature or a 

5 response by said public modulo n, Q = R*R/n, where R designates said 

6 respective value of a signature or a response to an authentication. 



1 1 6. A method according to claim 1 5, characterized in that after the 

2 reception by said entity of said respective value of a response to an 

3 authentication verification or a signature of a message (M), and of said at least 
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4 one prevalidation value comprising said quotient, said method comprises, at the 

5 level of said verifier entity, the following steps: 

6 - calculating the difference (D A r, D S r) between the square of the response 

7 value R*R and the product Q*n of said quotient Q by said public modulo n, (D A r, 

8 D S r = R*R =Q*n; and 

9 - verifying the equality of said difference with the value of a function of 
10 said response value, without any division operation by the modulo n operation. 

1 1 7. A method according to claim 1 4, characterized in that for a public 

2 exponent e = 3, and wherein the cryptographic calculation process is based on 

3 an RSA algorithm, said at least one prevalidation value comprises: 

4 - a first quotient Qi of the square R*R of said response value R by said 

5 public modulo n; and 

6 - a second quotient Q 2 of the product of said response value and the 

7 difference between the square R*R of said response value and the product of 

8 said first quotient Qi and the public modulo n, by said public modulo n, Q 2 = 

9 R*(R*R - Qrn)/n. 

1 1 8. A method according to claim 1 7, characterized in that after the 

2 reception of said response value R and said at least one prevalidation value 

3 comprising said first and second quotients Qi and Q2, said method comprises, at 

4 the level of said verifier entity, the following steps: 

5 - calculating the difference (D A rsa, D S rsa) between the product of said 

6 response value R and the difference between the square R*R of this response 

7 value and the product of said first quotient Qi and the public modulo n, and the 

8 product of said second quotient Q 2 and said public modulo n (Darsa, Dsrsa) = 

9 R*(R*R - Q^nJ-CVn; and 

10 - verifying the equality of this difference with the value of a function of said 

11 response value, without any division operation by modulo n operation. 
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1 1 9. A method according to claim 1 6, characterized in that for an 

2 operation for verifying a signature of a message (M), said function comprising a 

3 standardized public function f(M) of said message M, said method comprises the 

4 following steps: 

5 - applying a condensation function to said message to obtain a message 

6 digest CM; and 

7 - concatenating said message digest with a constant value. 

1 20. A method according to claim 18, characterized in that for an 

2 operation for verifying a signature of a message (M), said function comprising a 

3 standardized public function f(M) of said message M, said method comprises the 

4 following steps: 

5 - applying a condensation function to said message to obtain a message 

6 digest CM; and 

7 - concatenating said message digest with a constant value. 

1 21 . A method according to claim 16, characterized in that, for an 

2 authentication verification operation, said method further comprises the step for 

3 transmitting a prompt value from the verifier entity to the prover entity. 

1 22. A method according to claim 1 8, characterized in that, for an 

2 authentication verification operation, said method further comprises the step for 

3 transmitting a prompt value from the verifier entity to the prover entity. 

1 23. A method according to claim 21 , characterized in that said prompt 

2 value comprises a random value A modulo n, said response value R comprises 

3 an encrypted value B, and said function of the response value comprises a 

4 function f(A) of said random value A. 
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1 24. A method according to claim 22, characterized in that said prompt 

2 value comprises a random value A modulo n, said response value R comprises 

3 an encrypted value B, and said function of the response value comprises a 

4 function f(A) of said random value A. 

1 25. A method according to claim 16, characterized in that said function 

2 f(A) of said random value A comprises a function among the functions f(A) = A, 

3 f(A) = n-A, f(A) = C*A modulo n, f(A) = -C*A modulo n. 

1 26. A method according to claim 21 , characterized in that said function 

2 f(A) of said random value A comprises a function among the functions f(A) = A, 

3 f(A) = n-A, f(A) = C*A modulo n, f(A) = -C*A modulo n. 

1 27. A method according to claim 22, characterized in that said function 

2 f(A) of said random value A comprises a function among the functions f(A) = A, 

3 f(A) = n-A, f(A) = C*A modulo n, f(A) = -C*A modulo n. 

1 28. A method according to claim 25, characterized in that at the level of 

2 the verifier entity, the calculation of said function f(A) = C*A modulo n comprises 

3 calculation of the value C*A and storing of said value if C*A < n, and the 

4 calculation and storing of the value C*A-n if not, and in that calculation of said 

5 function f(A) = -C*A modulo n comprises calculation of the value n-C*A and 

6 storing of said value if n-C*A > 0, and otherwise calculation of the intermediate 

7 value C*n-C*A, and if said intermediate value is greater than or equal to zero, 

8 calculation and storing of the value of -C*A modulo n, for verifying the equality of 

9 said authentication without any division for the modular reduction. 

1 29. A method according to claim 26, characterized in that at the level of 

2 the verifier entity, the calculation of said function f(A) = C*A modulo n comprises 

3 calculation of the value C*A and storing of said value if C*A < n, and the 
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4 calculation and storing of the value C*A-n if not, and in that calculation of said 

5 function f(A) = -C*A modulo n comprises calculation of the value n-C*A and 

6 storing of said value if n-C*A > 0, and otherwise calculation of the intermediate 

7 value C*n-C*A, and if said intermediate value is greater than or equal to zero, 

8 calculation and storing of the value of -C*A modulo n, for verifying the equality of 

9 said authentication without any division for the modular reduction. 

1 30. A method according to claim 27, characterized in that at the level of 

2 the verifier entity, the calculation of said function f(A) = C*A modulo n comprises 

3 calculation of the value C*A and storing of said value if C*A < n, and the 

4 calculation and storing of the value C*A-n if not, and in that calculation of said 

5 function f(A) = -C*A modulo n comprises calculation of the value n-C*A and 

6 storing of said value if n-C*A > 0, and otherwise calculation of the intermediate 

7 value C*n-C*A, and if said intermediate value is greater than or equal to zero, 

8 calculation and storing of the value of -C*A modulo n, for verifying the equality of 

9 said authentication without any division for the modular reduction. 

1 31 . A method according to claim 23, characterized in that said function 

2 f(A) of said random value A is the function f(A) = A, which makes it possible to 

3 verify the equality of said difference and the validity of said authentication without 

4 any division operation for the modular reduction. 

1 32. A method according to claim 24, characterized in that said function 

2 f(A) of said random value A is the function f(A) = A, which makes it possible to 

3 verify the equality of said difference and the validity of said authentication without 

4 any division operation for the modular reduction. 



1 33. A method according to claim 14, characterized in that said 

2 response value, an encrypted value B, and a quotient value Q are concatenated 

3 prior to transmission of the values from the prover entity to the verifier entity. 
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1 34. A method according to claim 1 4, wherein the verifier entity 

2 compression embedded system such as a microprocessor card and the prover 

3 entity comprises an embedded card reading system. -- 
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IN THE ABSTRACT: 

Please cancel the Abstract at page 13 and substitute the following Abstract. 



TYSO01 9126954vOIT2146-906752|12\15\00 
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1 -ABSTRACT 

2 The invention concerns a method for verifying a signature or an 

3 authentication between a prover and a verifier based on an asymmetric 

4 cryptographic calculation algorithm. The prover calculates (1) at least one 

5 prevalidation value q, which is a quotient of two cryptographic values a, b by the 

6 public modulo n, and transmits this value q to the verifier. The verifier calculates (3) 

7 the products a*b and q*n and the difference a*b-q*n in order to perform at least one 

8 modular reduction without a division operation. The invention applies to signature or 

9 authentication verification between a proving microcomputer and a verifying 
10 microprocessor card. -- 
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REMARKS 



This Preliminary Amendment is filed to insert headings to conform the 
application to U.S. practice, to eliminate the use of multiple dependent claims, and to 
correct informalities in the specification, claims and abstract resulting from a literal 
translation of the French text. 

Early action on the merits is earnestly solicited. 



Respectfully submitted, 



MILES & STOCKBRIDGE P.C. 



Date : December 20. 2000 




Irdward J. Koryrjracki 
Registration No. 20,604 



1751 Pinnacle Drive - Suite 500 
McLean, VA 22102-3833 
Tel.: 703/903-9000 
Fax: 703/610-8686 
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PROPOSED DRAWING CORRECTIONS 

Hon. Commissioner of Patents and Trademarks 
Washington, D.C. 20231 

Sir: 

Applicant requests approval of the drawing corrections on Figs. 1 - 3B as shown in red on the 
attached three (3) sheets. 

The proposed corrections only comprise translating the French terms into English and 
removing the headings "1/3" - "3/3" to conform the drawings to U.S. practice. 

Respectfully submitted, 



MILES & STOCKBRIDGE P.C. 



Date: December 20, 2000 




toward I J. Koncfi 
Registration No( 20,604 



1751 Pinnacle Drive - Suite 500 
McLean, VA 22102-3833 
Tel.: 703/903-9000 
Fax: 703/610-8686 
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SIGNATURE VERIFICATION- 




AUTHENTICATION METHOD 



The present invention relates to a method that makes it possible to increase the efficiency, 
in terms of the calculation time and the RAM and ROM required, of the verification of a 
5 signature or an asymmetric authentication requiring several modulo-n or large-number 
multiplications. 

The RSA and Rabin signature or authentication algorithms are examples that allow the 
implementation of this method. 



10 for example a personal computer designated PC, that generates a signature or an authentication 
i by means of a secret key, which must then be verified by a microcomputer card. The 

microcomputer performs this verification by means of a public key. It has relatively little power 

compared to the PC. 



11 5 microcontroller with an incorporated memory. 

The majority of public key algorithms used in the world today perform "large-number" 
modulo calculations. "Large-number" designates positive whole numbers of at least 320 bits. For 
security reasons, the scientific community currently recommends the use of numbers of at least 
5 12 bits, or even 1024 bits for most of the algorithms, for example for the RSA or Rabin 

20 algorithms. 

Currently, microcomputer cards are brought to dialog with computers having computing 
capacities much larger than their own. Moreover, for cost reasons, microcomputer cards without 
an arithmetic coprocessor and with very limited memory resources (ROM, RAM, EEPROM) are 
used. For this reason, the calculations normally required to perform an authentication verification 
25 or a public-key signature verification using large-number modulo calculations are often very 
long, or even impossible without enough memory, if the traditional descriptions of the 
cryptographic algorithms are used. 



The method is more particularly adapted to an implementation in the case of a computer, 



The term "microcomputer card" is intended to mean a standard monolithic 
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• " verifier ": the entity that verifies the authentication, or that verifies the validity of a 
signature. To do this, it performs calculations involving only the public key of the 
asymmetric cryptographic algorithm used. It can be, for example, a microcomputer 
card. 

5 The object of the present invention is to implement a method for verifying signatures and 

authentications that makes it possible to eliminate the aforementioned disadvantages inherent in 
the more limited computing capacity of a verifying entity constituted by a microcomputer card, 
as compared to a proving entity such as a personal computer or the like equipped with a card 
reading device. 

10 Consequently, another object of the present invention is to simplify the verifier's 

operations for calculating certain modular reductions through the implementation of additional 
calculations by the prover, the verifier's task thus being simplified without any reduction in the 
theoretical security of the system. 

; The method for verifying a signature, or respectively an authentication, by means of an 

15 asymmetric private -key and public-key cryptographic calculation process, which is the subject of 
the present invention, this method being implemented between a "prover" entity and a "verifier" 
entity, the prover entity performing cryptographic calculations with the private key in order to 
produce a signature calculation, or respectively an authentication value, and the verifier entity, 
based on this transmitted value, performing cryptographic calculations with this public key in 

20 order to perform this signature verification, or respectively this authentication, the cryptographic 
calculation operations implementing the calculation of modulo n or large-number 
multiplications, is remarkable in that for a cryptographic calculation process using a public key 
constituted by a public exponent e and a public modulo n, and a private key constituted by a 
private exponent d, this method consists of calculating, at the level of the prover entity, at least 

25 one prevalidation value and transmitting from the prover entity to the verifier entity this at least 
one prevalidation value, thereby allowing the verifier entity to perform at least one modular 
reduction without any division operation for this modular reduction. 

The method that is the subject of the present invention applies to any dialogue or protocol 
for exchanging messages between a prover entity such as a personal computer and a verifier 

30 entity such as a microcomputer card, particularly in connection with banking transactions, access 
control, or the like. 

TYSO01 :91 2680avOI000001-#BRCH7!1 2\14\00 Q 



It will be more clearly understood by reading the description below and examining the 
drawings, in which: 

- Fig. 1 represents a diagram illustrating the method that is the subject of the present 
invention, implemented between a prover entity and a verifier entity; 

5 - Fig. 2a represents a diagram illustrating the method that is the subject of the present 

invention, implemented with a Rabin authentication verification algorithm; 

- Fig. 2b represents a diagram illustrating the method that is the subject of the present 
invention, implemented with a Rabin signature verification algorithm; 

- Fig. 3a represents a diagram illustrating the method that is the subject of the present 
10 invention, implemented with an RSA authentication verification algorithm; 

- Fig. 3b represents a diagram illustrating the method that is the subject of the present 
invention, implemented with an RSA signature verification algorithm. 

A more detailed description of the method that is the subject of the invention is given in 
connection with Fig 1 and the subsequent figures. 

15 The method that is the subject of the invention implements, at the verifier entity level, 

public-key algorithms requiring modulo-n or large-number multiplications, and modifies them 
slightly by having one or more quotients q calculated externally, i.e. at the prover entity level, 
and by supplying this quotient or quotients to the verifier. Thus, the verifier can more easily and 
quickly calculate certain modular multiplications: instead of calculating a*b modulo n, it only 

20 has to calculate a*b, q*n, and a*b-q*n, a and b designating values of the signature or 

authentication verification calculation. Sometimes, for security reasons,, it uses the latter value in 
a way that allows it to make sure that this latter value is actually between 1 and n. When an 
algorithm is thus modified by "precalculating" certain quotients that are supplied to the verifier 
in order to simplify the calculations executed by the latter, it is called a "subjacenf algorithm in 

25 order to designate the initial algorithm from which it is derived, prior to performing this 

modification. Thus, in reference to Fig. 1, according to a remarkable aspect of the method that is 
the subject of the present invention, the quotient or quotients q that verify the relation q=a*b/n 
constitute one or more prevalidation values transmitted to the verifier entity in order to allow the 
verifier entity to perform at least one modular reduction without any division operation for this 

30 modular reduction. Referring to Fig. 1 , it is indicated that the method that is the subject of the 
invention can be implemented either when verifying the authentication after the sending of an 

TYSO01 :9126808vOI000001-#BRCH7l12\14\00 o 



prompt value such as a random value a (see the reference 0 in the figure), the internal calculation 
(reference 1) at the prover level of a response value b = a d mod n and the prevalidation value q, 
the transmission (reference 2) of b and q from the prover to the verifier, and the calculation 
(reference 3) by the verifier of the quantities a*b, q*n and a*b-q*n in order to perform the 
verification of the authentication, or when verifying the signature of a message M after the 
calculation (reference 1) at the prover level of a signature S = S d (M) for the message M and the 
prevalidation value q, the sending (reference 2) of q, S and M from the verifier to the prover, the 
calculation (reference 3) at the verifier level of the quantities a*b = S*S, q*n and a*b-q*n in 
order to perform the signature verification. 

In Fig. 1 and the subsequent figures, a straight arrow represents the transmission of the 
aforementioned values from the verifier to the prover or vice versa, and a looped arrow at the 
prover level or the verifier level represents the implementation of an internal calculation at the 
prover level or the verifier level. Finally, in the description below, the response R designates 
either the value b calculated by encrypting the random number a in the case of an authentication 
verification b = a d mod n, or the signature value S = S d (M) following the connection of the 
verifier and the prover. 

Various examples of the implementation of the method that is the subject of the present 
invention will now be described based on subjacent algorithms, designated by RS A and Rabin 
algorithms. 

Subjacent RSA and Rabin algorithms 

The RSA algorithm is the most famous of the asymmetric cryptographic algorithms. It 
was invented by RIVEST, SHAMIR and ADLEMAN in 1978. Its description may be found in: 

R. L. Rivest, A. Shamir, L.M. Adleman: "A Method for Obtaining Digital Signatures and 
Public-Key Cryptosystems," Communications of the ACM, 21, No. 2, 1978, pp. 120-126, or in 
the following documents: 

• ISO/EC 9594-8/TTU-T X.509, Information Technology - Open Systems 
Interconnection - The Directory: Authentication Framework; 

• ANSI X9/3 1 - 1 , American National Standard, Public-Key Cryptography Using 
Reversible Algorithms for the Financial Services Industry, 1993. 

These documents are introduced into the present description as references. 
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The RSA algorithm uses a whole number n that is the product of two large prime 
numbers p and r, and a whole prime number e with ppcm(p-l, r-1), and such that e • ± 1 modulo 
ppcm(p-l ,r-l). The integers n and e constitute the public key. The public key calculation uses 
the function a of Z/nZ in Z/nZ defined by a(x)=X e mod n. The secret key calculation uses the 
5 function a 1 (y)=y d mod n, where d is the secret exponent, also called the "secret key" or "private 
key" defined by ed = 1 mod ppcm(p-l, r-1). 

Let n be the RSA public modulo, let d be the RSA secret exponent and let e be the RSA 
public exponent. 

In the case of an authentication verification, the verifier generates a random number A 
10 modulo n, and sends it to the prover. The latter then calculates B= A d modulo n, and returns this 
value B to the verifier. The latter accepts the authentication if and only if B e modulo n = A. 

The smallest value of e for using the RSA algorithm is e = 3. For e = 2, the Rabin 
algorithm is used; the latter will be described later in the description. This value e = 3 is 
advantageous since it allows the verifier to have only two modular multiplications to perform. 
15 The Rabin algorithm is similar to an RSA algorithm with the public exponent e = 2. In 

fact, when e = 2, the function x e is not bijective modulo n, when n is the product of two prime 
numbers > 2, so slight modifications are introduced in the use of the Rabin algorithm as 
compared to the RSA algorithm. 

A description of the Rabin algorithm may be found in: 
20 M.O. Rabin, "Digitized Signatures and Public-Key Functions as Intractable as 

Factorization," Technical Report LCS/TR-212, M.I.T. Laboratory for Computer Science, 1979, 
introduced in the present patent application as a reference. 

Exemplary implementations of the method that is the subject of the invention using the Rabin 
and RSA algorithms 
25 ♦ Rabin algorithm 

The method that is the subject of the present invention will first be described in a 
particular non-limiting embodiment based on the Rabin algorithm, or for e = 2. 
♦ ♦ Authentication verification 

As represented in Fig. 2a, a possible example of the utilization of the Rabin algorithm in 
30 authentication verification is described below. 
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Let n be the public modulo. The verifier generates a random number A modulo n, and 
sends it (reference 0 in the figure) to the prover. The latter then calculates a number B (reference 
1), and sends this value B to the verifier. The latter accepts the authentication if and only if B*B 
modulo n is equal to one of the following four possible values: A, or n-A, or C*A modulo n, or - 
C*A modulo n. C is a number set by the protocol, most often C = 2. 

In order to simplify the verification process in accordance with the method that is the 
subject of the present invention, the prover does not send (reference 2) the value B alone: it sends 
B and Q, where Q is the quotient of B*B by the public modulo n. The verifier then verifies that 
D A r = B*B = Q*n is actually equal to one of the following four values: A, n-A, (C* A) modulo n, 
or (-C* A) modulo n. In addition, it can calculate (C* A) modulo n, by calculating C* A, keeping 
this value if it is < n, and otherwise taking the value C*A - n. Thus, the verifier does not have 
any division to perform. 

♦ ♦ Signature verification 

Thus, as represented in Fig. 2b, and keeping the same notations as above, let M be the 
message whose signature S the verifier wishes to verify. The signature S is obtained from the 
private key d by S = S d (M), Sd(M) designating the operation for calculating the signature of the 
message M. If S is a Rabin signature of M, then the verifier normally verifies that S*S modulo n 
= f(M) or n-f(M), or (2*f(M) modulo n) or (-2*f(M) modulo n), where f is a standardized public 
function of the message M. For example, f is the identity function, or is described in a signature 
standard; for example, it is possible o use the padding or concatenation operations of the 
PKCS#1 standard normally established for RSA; see the descriptive elements of this standard 
later in the description. 

Keeping the same notations as above, in order to simplify the signature verification 
process as represented in Fig. 2b, in the method that is the subject of the present invention, the 
prover does not send (reference 2) the value S alone: it sends S and Q, where Q is the quotient of 
S*S by the public modulo n. The verifier then verifies that Dsr = S*S - Q*n is actually equal to 
f(M), or n-f(M), or C*f(M) modulo n, or — C*f(M) modulo n, where C is a number set by the 
protocol, C being able to be taken as equal to 2. Since these last two values can be modulo-n 
calculated by performing zero or a subtraction by n, the verifier no longer has any division to 
calculate. 
♦ RSA algorithm 
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The method that is the subject of the present invention will now be described in a 
particular non-limiting embodiment based on the RSA algorithm, or for e = 3. 
♦ ♦ Authentication verification 

As represented in Fig. 3a, beginning with a random number A, in order to simplify the 
5 verification process, in the present invention, the prover does not send (reference 2) the value B 
alone: it sends B, Ql and Q2, where Ql is the quotient of B*B by the public modulo n, and 
where Q2 is the quotient of B* (B*B - Ql*n) by n. The verifier then verifies that D A rsa = 
B*(B*B - Ql*n) -Q2*n is actually equal to A. Thus, the verifier no longer has any division to 
perform. 

10 ♦ ♦ Signature verification 

Keeping the same notations as above and letting M be the message whose signature S the 
verifier wishes to verify, S is an RSA signature of M, so the verifier normally verifies that S e 
modulo n = f(M), where f is a standardized public function of the message M. For example, f is 
the identity function, or is described in an RSA signature standard, such as for example the 

'l 5 PKCS#1 standard. The standardized public function can consist of applying a condensation 

function SHA-1 to the message M in order to obtain a message digest CM, then of concatenating 
this message digest with a constant value. 

Thus, as represented in Fig. 3b, and keeping the same notations as above, in order to 
simplify the signature verification process, in the method that is the subject of the present 

20 invention, the prover does not send (reference 2) the value S alone: it sends S, Ql and Q2, where 
Ql is the quotient of S*S by the public modulo n, and where Q2 is the quotient of S*(S*S - 
Ql*n) by n. The verifier then verifies that Dsrsa = S*(S*S = Ql*n) -Q2n is actually equal to 
f(M). Thus, the verifier no longer has any division to perform. 

The condensation function SHA-1 is a public "condensation" function. It takes as input a 

25 message whose size can run from 0 bytes to several gigabytes, and yields as output a 160-bit 
"digest" of the message. This function is often used in standards or with signature algorithms, 
since it is reputed to be collision-resistant, which means that it is not known how to concretely 
find two separate messages that have the same message digest (they exist, but it is not known 
how to find such a pair of messages). This makes it possible to sign the message digests rather 

30 than the messages themselves. 
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The PKCS#1 standard is an RSA signature standard. It describes a public function f. This 
function f is applied to the message M to be signed with RSA before launching the RSA modular 
exponentiation operation itself: the RSA signature of M is therefore S = (f(M)) d modulo n, where 
is the RSA public modulo and where D is the RSA secret exponent, f uses a condensation 
5 function (for example SHA-1) followed by a padding, or concatenation, with a constant. 
For a more detailed conscription, please consult: 

PKCS#1, RSA Encryption Standard, Version 2, 1998, available at the following address: 
ftp://ftp.rsa/com/pub/pkcs/doc/pkcs-lv2.doc 
whose published version is introduced in the present application as a reference. 

10 The invention thus consists of supplying additional data to the verifier in order to 

facilitate its calculations. In order to precalculate this data, in this case the quotients constituting 
the prevalidation value or values, it is not necessary to use the secret key of the algorithm. This 
means that this data is completely redundant relative to the values transmitted to the card in a 
"conventional" utilization of the asymmetric algorithm. In fact, in the "conventional" version, 

1 5 the card knows how to find these quotients itself. There is therefore no additional information 
supplied to the card, in the sense of information theory, when the method that is the subject of 
the present invention is implemented as described above. This shows that the security of the 
system is in no way weakened as compared to the "conventional" implementation of the 
algorithm. 
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CLAIMS 



1 1. Method for verifying a signature, or respectively an authentication, by 

2 means of an asymmetric private-key and public-key cryptographic calculation process 

3 between a "prover" entity and a "verifier" entity, the prover entity performing 

4 cryptographic calculations with said private key in order to produce a signature 

5 calculation, or respectively an authentication value constituting a response value, and the 

6 verifier entity, based on this response value, performing cryptographic calculations with 

7 said public key in order to perform this signature verification, or respectively this 



8 authentication, the cryptographic calculation operations implementing the calculation of 

9 the modulo-n or large-number multiplications, characterized in that for a cryptographic 

10 calculation process using a public key comprising a public exponent e and a public 

1 1 modulo n, and a private key comprising a private exponent, it comprises the following 

12 steps" 

13 - calculating at the level of said prover entity at least one prevalidation value; 

14 - transmitting from the prover entity to the verifier entity at least said one 

1 5 prevalidation value, this prevalidation value allowing the verifier entity to perform at 

16 least one modular reduction without any division operation for this modular reduction. 

1 2. Method according to claim 1, characterized in that for a public exponent 

2 e=2, the cryptographic calculation processing being based on a RABIN algorithm, said at 

3 least one prevalidation value comprises a unique value, which is the quotient Q of the 

4 square of said respective value of a signature or a response by said public modulo n, Q = 

5 R*R/n, where R designates said respective value of a signature or a response to an 

6 authentication. 

1 3. Method according to claim 2, characterized in that after the reception by 

2 said entity of said respective value of a response to an authentication verification or a 

3 signature of a message (M), and of said at least one prevalidation value comprising said 

4 quotient, this method comprises, at the level of said verifier entity, the following steps: 
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5 - calculating the difference (D A r, D sr ) between the square of the response value 

6 R*R and the product Q*n of said quotient Q by said public modulo n, (D A r, D sr = R*R 

7 =Q*n; 

8 - verifying the equality of said difference with the value of a function of this 

9 response value, without any division operation by the modulo n operation. 

1 4. Method according to claim 1 , characterized in that for a public exponent e 

2 = 3, the cryptographic calculation process being based on an RSA algorithm, said at least 

3 one prevalidation value comprises: 

4 - a first quotient Qi of the square R*R of said response value R by said public 

5 modulo n; 

6 - a second quotient Q 2 of the product of said response value and the difference 

7 between the square R*R of this response value and the product of said first quotient Qi 

8 and the public modulo n, by said public modulo n, Q 2 = R*(R*R - Qi*n)/n. 

1 5. Method according to claim 4, characterized in that after the reception of 

2 said response value R and said at least one prevalidation value comprising said first and 

3 second quotients Qi and Q 2 , said method comprises, at the level of said verifier entity, the 

4 following steps: 

5 - calculating the difference (D A rsa, D SRS a) between the product of said response 

6 value R and the difference between the square R*R of this response value and the product 

7 of said first quotient Qi and the public modulo n, and the product of said second quotient 

8 Q 2 and said public modulo n (D ARSA , D SRS a) = R*(R*R - Qi*n)-Q 2 *n; 

9 - verifying the equality of this difference with the value of a function of said 

10 response value, without any division operation by modulo n operation. 

1 6. Method according to claim 3 or 5, characterized in that for an operation 

2 for verifying a signature of a message (M), said function comprising a standardized 

3 public function f(M) of this message M, it comprises the following steps: 
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4 - applying a condensation function to this message in order to obtain a message 

5 digest CM; 

6 - concatenating this message digest with a constant value. 

1 7. Method according to either claim 3 or 5, characterized in that, for an 

2 authentication verification operation, this method also comprises the step for transmitting 

3 an prompt value from the verifier entity to the prover entity. 

1 8. Method according to claim 7, characterized in that said prompt value 

2 comprises a random value A modulo n, said response value R comprises an encrypted 

3 value B, and said function of the response value comprises a function f(A) of said random 

4 value A. 

1 9. Method according to either of claims 3 and 7, characterized in that said 

2 function f(A) of said random value A comprises a function among the functions f(A) = A, 

3 f(A) = n-A, f(A) = C*A modulo n, f(A) = -C*A modulo n. 

1 10. Method according to claim 9, characterized in that at the level of the 

2 verifier entity, the calculation of said function f(A) = C* A modulo n comprises the 

3 calculation of the value C*A and the storing of this value if C*A < n, and the calculation 

4 and storing of the value C*A-n if not, and in that the calculation of said function f(A) = - 

5 C*A modulo n comprises the calculation of the value n-C* A and the storing of this value 

6 if n-C*A > 0, and otherwise the calculation of the intermediate value C*n-C*A, and if 

7 this intermediate value is greater than or equal to zero, the calculation and storing of the 

8 value of -C*A modulo n, which makes it possible to verify the equality of said 

9 authentication without any division for the modular reduction. 

1 11. Method according to claims 5 and 8, characterized in that said function 

2 f(A) of said random value A is the function f(A) = A, which makes it possible to verify 



11 



3 the equality of said difference and the validity of said authentication without any division 

4 operation for the modular reduction. 

1 12. Method according to claim 1 , characterized in that said response value, the 

2 encrypted value B, and said quotient value Q are concatenated prior to their transmission 

3 from the prover entity to the verifier entity. 

1 13. Utilization of the method according to claim 1 , the verifier entity 

2 comprising an embedded system such as a microprocessor card and the prover entity 

3 comprising an embedded card reading system. 
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ABSTRACT 



The invention concerns a method for verifying a signature or an authentication 
between a prover and a verifier based on an asymmetric cryptographic calculation 
algorithm. 

The prover calculates (1) at least one prevalidation value q, which is a quotient of 
two cryptographic values a, b by the public modulo n, and transmits this value q to the 
verifier. The verifier calculates (3) the products a*b and q*n and the difference a*b-q*n 
in order to perform at least one modular reduction without a division operation. 

The invention applies to signature or authentication verification between a 
proving microcomputer and a verifying microprocessor card. 

Fig. 1 
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John C. Kerins, Reg. 32,421 



Adresser toure correspondance a: Send Correspondence to: 

Edward ^_XPJxdrackij L _Es£^ Edward J. Kondracki, Esq. 

K^^I_JSIQHEIJ i ^-KQmgACKi_ KERKAM, STOWELL , KONDRACKI 

i L _eLABKEL»_E J JL l . & CLARKE , P.C. 

5203 LjeejJburg_JPJ^e^^uite_6f^ 5203 Leesburg Pike, Suite 600 

Falls" Church ,_SA. 2-2-041 Falls Church, VA 22041 

Adresser toute communication telephonique a: Direct Telephone Calls to: {name and telephone number) 

(Worn) {Numero de telephone) 

Edward J. Kondracki, Esq. Edward J. Kondracki, Esq. 

(703) 998-3302 (703) 998-3302 



Nom complet du seul ou premier inventeur 

fiOIIRIN 1 nuis^ 


Full name of sole or first inventor 




Inventor's signature Date 


3 D nS1ilrown-S6quani 7501 5 PARIS FRANCE ff{ y_ 


Residence 


Nationality 

Francaise 


Citizenship 


3%T^rown-iequard 75015 PARIS FRANCE 


Post Office Address 






Nom complet du second co-inventeur, le cas ectieant 

RAIARIN Jacques. 


Full name of second joint inventor, if any 


Si^r^nnv^ ^ ^ Date^ 


Second inventor's signature Date 


Domicile 

1 1 , rue Amedee Daillv 78220 VIROFLAY FRANCE fW. 


.Residence 

f 


Nationaiite 
Frangaisa 


Citizenship 


Adresse Postale 

11, n ip Amedee Dailly 78220 VIROFLAY FRANCE 


Post Office Address 







(Fournir les memes renseignements et la signature de tout (Supply similar information and signature for third and sub- 
co-inventeur supplemental.) sequent joint inventors.) 
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